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Abstract. We extend the Multi-lane Spatial Logic MLSL, introduced in previous work 
for proving the safety (collision freedom) of traffic maneuvers on a multi-lane highway, 
by length measurement and dynamic modalities. We investigate the proof theory of this 
extension, called EMLSL. To this end, we prove the undecidability of EMLSL but never¬ 
theless present a sound proof system which allows for reasoning about the safety of traffic 
situations. We illustrate the latter by giving a formal proof for the reservation lemma we 
could only prove informally before. Furthermore we prove a basic theorem showing that 
the length measurement is independent from the number of lanes on the highway. 


1. Introduction 

In our previous work [HLORlT] we proposed a multi-dimensional spatial logic MLSL in¬ 
spired by Moszkowski’s interval temporal logic (ITL) |Mos85j . Zhou, Hoare and Ravn’s 
Duration Calculus (DC) |ZHR91] and Schafer’s Shape Calculus |Sch05| for formulating the 
purely spatial aspects of safety of traffic maneuvers on highways. In MLSL we modeled 
the highway as one continuous dimension, i.e., in the direction along the lanes and one 
discrete dimension, the different lanes. We illustrated MLSL’s usefulness by proving safety 
of two variants of lane change maneuvers on highways. The safety proof establishes that 
the braking distances of no two cars intersecting is an inductive invariant of a transition 
system capturing the dynamics of cars and controllers. 

In this paper we introduce EMLSL which extends MLSL by length measurement and 
dynamic modalities. In comparison to MLSL, where we are only able to reason about 
qualitative spatial properties, i.e., topological relations between cars, EMLSL also allows 
for quantitative reasoning, e.g., on braking distances. To further the practicality of EMLSL, 
we define a proof system based on ideas of Basin et al. [BMV98j . who presented systems of 
labelled natural deduction for a vast class of typical modal logics. Rasmussen [RasPlj refined 
their work to interval logics with binary chopping modalities. Since EMLSL incorporates 
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both unary as well as chopping modalities, our proof system is strongly related to both 
approaches. 

Besides providing a higher expressiveness, extending MLSL enables us to formulate and 
prove the invariance of the spatial safety property inside EMLSL and its deductive proof 
system. We demonstrate this by conducting a formal proof of the so called reservation 
lemma [HLORllj . which informally states that no car changes lanes without having set the 
turn signal beforehand. 

Further on, we show undecidability of a subset of EMLSL. We adapt the proof of 
Zhou et al. |ZHS93] for DC and reduce the halting problem of two counter machines to 
satisfiability of EMLSL formulas. Due to the restricted set of predicates EMLSL provides, 
this is non-trivial. 

The contributions of this paper are as follows: 

• we extend MLSL with lengths measurements and dynamic modalities (Sect. [2]); 

• we show the spatial fragment of EMLSL to be undecidable (Sect. [3]); 

• we present a suited proof system and derive the reservation lemma (Sect. |1|). 

The differences to our publication in the proceedings of the 10th International Collo¬ 
quium on Theoretical Aspects of Computing (ICTAC) in 2013 |LH13| are: 

• we include the proofs for the preservation of sanity conditions of the spatial situations 
along the transitions (Sect. [2|), the undecidability result (Sect. [3]) and the soundness of 
the proof system (Sect.|l|); 

• we show an additional formal proof within the proof system for a theorem showing the 
independence of length measurement from the width (i.e., the number of lanes currently 
perceivable by a car; see Lemma K3). This proof is straightforwardly adaptable to a 
proof for the reversed situation, i.e., the independence of width measurement from the 
extension (the part of the highway currently perceived by a car in driving direction); 

• we added means of moving the part of the highway perceived by a car along the passing 
of time in Sect. [2l This addition has also impact on the form of the labelling algebra of 
the proof system in Sect. 01 

2. Extended MLSL Syntax and Semantics 

The purpose of EMLSL is to reason about highway situations. To this end, we first present 
the formal model of a traffic snapshot capturing the position and speed of every car on the 
highway at a given point in time. In addition a traffic snapshot comprises the lane a given 
car is driving on, which we call a reservation. Every car usually holds one reservation, i.e., 
drives on one lane, but may, during lane change maneuvers, hold up to two reservations on 
adjacent lanes. Furthermore, we capture the indication that a given car wants to change to 
a adjacent lane by the notion of a claim which is an abstraction of setting the turn signal. 
Every car may only hold claims while not engaged in a lane change. 

Intuitively, traffic snapshots shall formalize situations as depicted in Fig. [H Each car 
drives at a certain horizontal position and reserves one or at most two lanes. The car E is 
currently claiming the lower lane, depicted by the dotted polygon. For a car, we subsume its 
physical size and its braking distance, i.e., the distance it needs to come to a safe standstill 
at its current speed, under its safety envelope. As an abstraction of sensor limitations, we 
assume each car to observe only a finite part of the road, called the view of the car. The 
dashed rectangle indicates a possible view of the car E. 
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Figure 1: Situation on a Motorway at a Single Point in Time 

To formally define a traffic snapshot, we assume a countably infinite set of globally 
unique car identifiers I and an arbitrary but fixed set of lanes L = {0,..., A^}, for some 
> 1. Throughout this paper we will furthermore make use of the notation V{X) for 
the powerset of X, and the override notation © from Z for function updates |WD96| . i.e., 
f ® {x y}{z) = y A X = z and f{z) otherwise. 

Definition 2.1 (Traffic snapshot). A traffic snapshot TS = {res,clm,pos, spd, acc) is de- 
hned by the functions 

• res : I ^ ’P(L) such that res(C') is the set of lanes the car C reserves, 

• elm : I —7> V(L) such that clm{C) is the set of lanes the car C claims, 

• pos : I —>■ M such that pos{C) is the position of the car C along the lanes, 

• spd : I ^ M such that spd{C) is the current speed of the car C, 

• acc : I ^ M such that acc{C) is the current acceleration of the car C. 

Furthermore, we require the following sanity conditions to hold for all C € I. 

(1) res(C) n clm{C) = 0 

(2) 1 < |res(C')| < 2 

(3) 0 < \clm{C)\ < 1 

(4) 1 < jres(C')| + \clm{C)\ < 2 

(5) clm{C) 7 ^ 0 implies 3n G L • res{C) U clm{C) = {n, n + 1} 

(6) |res(C')| = 2 or |c/m(C')| = 1 holds only for finitely many (7 G I. 

We denote the set of all traffic snapshots by TS. 

The kinds of transitions are twofold. First, we have discrete transitions defining the 
possibilities to create, mutate and remove claims and reservations. The other type of transi¬ 
tions handles abstractions of the dynamics of cars, i.e., they allow for instantaneous changes 
of accelerations and for the passing of time, during which the cars move according to a sim¬ 
ple model of motion. For the results presented subsequently, we only require the changes of 
positions to be continuous. 

Definition 2.2 (Transitions). The following transitions describe the changes that may 
occur at a traffic snapshot TS = {res, elm, pos, spd, acc). 

TS' = {res, elm', pos, spd, acc) 

A |dm(C')| = 0 A |res(C')| = 1 


TS 
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A res{C) n {n + 1, n — 1} / 0 

A elm' = elm © {C i-A {n}} 

( 2 . 1 ) 



TS' = {res,clm',pos, spd, acc) 

A elm' = elm © {C i-A 0} 

( 2 . 2 ) 

TS^TS' 


TS' = {res', elm',pos, spd, acc) 

A elm' = elm © {C eA 0} 

Ares' = res © {C i-A res{C) U clm{C)} 

(2.3) 



TS' = (res', elm, pos, spd, acc) 

A res' = res © {C i-A {n}} 

An G res{C) A \res{C)\ = 2 

(2.4) 

TS^TS' 


TS' = (res, elm, pos', spd', acc) 

A VC G I: pos'(C) = pos(C) + spd(C) ■ t + ^acc(C) 




A VC G I: spd'(C) = spd(C) + acc(C) • t 

(2.5) 

Ts-^<c,a)^Ts' 


TS' = (res, elm, pos, spd, acc') 



A acc' = acc © {C i-A o} 


( 2 . 6 ) 


We also combine passing of time and changes of accelerations to evolutions. 

rs 4 TS' ^TS = ... ^TS2n-i^^^^^^TS2n = ts\ 

where t = ^ ^ Ci for all 0 < i < n. 

The transitions preserve the sanity conditions in Def. 12.11 


Lemma 2.3 (Preservation of Sanity). Let TS be a snapshot satisfying the constraints given 
in Def. \2.1[ Then, each structure TS' reachable by a transition is again a traffic snapshot 
satisfying Def. \2.1[ 

Proof. We proceed by a case distinction. If the transition leading from TS to TS' is the 
passing of time, or the change of an acceleration, the constraints are still satisfied in TS', 
since they only concern the amount and place of claims and reservations. 

The removal of a claim TS - ^^^TS' sets clm'{C) = 0. There are two possibilities. If 

clm{C) = 0, then TS = TS' and hence satisfies the constraints trivially. Let clm{C) T 0- 
After the transition, constraint 1 holds trivially, constraint 2 is not affected, constraint 3 
holds, as does constraint 4. Constraint 5 holds trivially and satisfaction of constraint 6 
follows since it is satisfied in TS and we only shrink the number of cars for which there 
exists a claim. 

Now let TS - - > TS'. Then by definition of the transition, res(C) on TS contains 

exactly one element, and clm{C) is empty. On TS', clm'{C) contains exactly n. Since 
{n + 1, n — 1} n res{C) 7 ^ 0, n cannot be an element of res'{C). Hence, the constraints 1 to 
5 are satisfied. Since TS satisfied constraint 6 , and only one car created a new claim, TS' 
still satisfies this constraint. 
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Consider TS -^— >TS'. Since |res(C')| = 2, constraint 4 ensures that clm{C) = 0 , 

by which constraint 1, 3, 4 and 5 hold in TS'. Constraint 2 holds, since we overwrite res(C) 
with {n}. Constraint 6 holds by an argument similar to the withdrawal of a claim. 

Finally, let TS > TS'. Again we have to consider two cases. First, if clm{C) = 0 , 
then TS = TS', and hence the constraints hold. If clm{C) T 0) by constraint 2 that 

clm{C) = {n} for some n € L. By constraint 4, |res(C')| = 1, and by constraint 1, we get 
that after the transition |res(C)| = 2, i.e., constraint 2 holds. Constraint 1 and 5 hold now 
trivially. Constraint 3 holds since we reset clm'{C) = 0 and similarly for constraint 4. The 
number of cars with either two reservations or a claim is not changed, hence constraint 6 
holds. □ 


Example 2.4. We formalize Fig. [T] as a traffic snapshot TS = (res, dm, pos, spd, acc). We 
will only present the subsets of the functions for the cars visible in the figure. Assuming 
that the set of lanes is L = {1,2,3}, where 1 denotes the lower lane and 3 the upper one, 
the functions defining the reservations and claims of T<S are given by 

res(A) = {1,2} res{B) = {1} res(C') = {3} res(E) = {2} 

dm{A) = 0 dm{B) = 0 dm{C) = 0 dm{E) = {1} 

For the function pos, we chose arbitrary real values which still satisfy the relative positions 
of the cars in the figure. Similarly, we instantiate the function spd such that the safety 
envelopes of the cars could match the figure. For example, since the safety envelope of B is 
larger than the safety envelope of C, B has to drive with a higher velocity. For simplicity, 
we assume that all cars are driving with constant velocity at the moment, i.e., for all cars, 
the function acc returns zero. 


pos{A) = 28 pos{B) = 3.5 pos{C) = 2 pos{E) = 14 

spd{A) = 8 spd{B) = 14 spd{C) = 4 spd{E) = 11 

This traffic snapshot satisfies the sanity conditions. 

For no traffic snapshot TS' and lane n we have TS ^ ’ \ tS', since \dm{E)\ T 0- 

, wd r(B,n) 


Similarly, there is no transition TS- 


-^TS', since \res{B)\ T 2. But, if we let TS' = 


{res', dm', pos, spd, acc) where res' and dm' coincide with their counterparts in TS except 
for res'{E) = {1,2} and dm'{E) = 0 , then TS ^^^\ tS'. 


EMLSL restricts the parts of the motorway perceived by each car to so called views. 
Each view comprises a set of lanes and a real-valued interval, its length. 

Definition 2.5 (View). For a given traffic snapshot TS with a set of lanes L, a view V is 
defined as a structure V = {L,X,E), where 

• L = [/, n] C L is an interval of lanes that are visible in the view, 

• V = [r, t] C M is the extension that is visible in the view, 

• E G I is the identifier of the car under consideration, the owner of the view. 

A subview of V is obtained by restricting the lanes and extension we observe. For this we 
use sub- and superscript notation: = {L', X, E) and Vx' = {L, X', E), where L' and X' 

are subintervals of L and X, respectively. 


While views define the range of the car’s sensors, we use a distinct function to model 
the capability of these sensors. That is, the perceived length of cars can be dependent on 
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the car under consideration. As an example, a car may calculate its own braking distance, 
while it can only perceive the physical size of all other cars. 

Definition 2.6 (Sensor Function). The car dependent sensor function Qe ■ I x T§ ^ M_|_ 
given a car identifier and a traffic snapshot provides the length of the corresponding car, as 
perceived by E. 

The intention of the sensor function is to parametrize the knowledge available to the 
cars and by that to easily allow for the consideration of different scenarios [HLORlT] . 

Remark 2.7 (Abbreviations). For a given view V = {L,X,E) and a traffic snapshot 
TS = {res, elm, pos, spd, ace) we use the following abbreviations: 

resv ■ I 'P{L) with C !->■ res(C) D L 
clmv '■ I 'P{L) with C i-7> clm{C) H L 

leny : I —>■ V{X) with C i-a \pos{C),pos{C) + Q,e{C,TS)] D X 

The functions resy and clmy are restrictions of their counterparts in T<S to the sets of 
lanes considered in this view. The function leny gives us the part of the view occupied by 
a car (70 


Example 2.8. To fully formalize Fig. [H we have to a define a view V = {L,X,E) cor¬ 
responding to the dashed rectangle. The set of lanes visible in V \s L = {1,2}. For the 
extension, we only have to choose values such that the relations of the figure are preserved, 
i.e., both E and A fit fully into the extension, the safety envelope of B is partially contained 
in X, while no part of C overlaps with it. Hence, we first have to dehne how the safety 
envelopes are perceived by E. 

nE{A,TS) = 10 nE{B,TS) = 11.5 nE{C,TS) = 7 nE{E,TS) = 13 

Now we can choose, e.g., X = [12,42]. With this view and sensor function, the derived 
functions of T<S and V are as follows. 


resy{A) = {1,2} resy{B) = {1} resy{C) = 0 resy{E) = {2} 

clmy{A) = 0 clmy{B) = 0 clmy{C) = 0 clmy{E) = {1} 

leny{A) = [28,38] leny{B) = [12,15] leny{C) = 0 leny{E) = [14,27] 

Observe how the space occupied by B is reduced to fit into the view, and that the reservation 
of C is invisible for E, since the view only comprises both lower lanes. 


In the logic, the view shall be interpreted relatively to the owner of the view. If a 
traffic snapshot ES evolves to ES' in the time t, i.e. ES =A ES', the extension A of a view 

V = {L,X,E) has to be shifted by the difference of the positions of E in T<S and ES'. For 
this purpose, we introduce the function mv, which given two snapshots ES, ES' and a view 

V computes the view V' corresponding to V after moving from ES to ES'. 

^This presentation differs slightly from the first presentation of MLSL in two ways. First, we do not 
restrict the set of identifiers anymore to the cars “visible” to E. Since the functions for the reservations, 
claims or length return the empty set for cars outside of V, such cars cannot satisfy the corresponding 
atomic formulas. The definition of resv and clmv was altered due to a technical mistake in the previous 
form. 





PROOF THEORY OF A MULTI-LANE SPATIAL LOGIC 


7 


Definition 2.9 (Moving a View). For two traffic snapshots TS = {res,clm,pos,spd, acc) 
and TS' = (res', elm', pos', spd', acc') and a view V = (L, [r, s],E), the result of moving V 
from TS to TS' is given by mvlj^g (V) = (L, [r + x, s + x], E), where x = pos'(E) — pos(E). 

Definition 12.101 formalizes the partitioning of discrete intervals. We need this slightly 
intricate notion to have a clearly defined chopping operation, even on the empty set of lanes. 
We want the empty set to be a valid interval of lanes, so that the smallest intervals of lanes 
and horizontal space behave similarly. 

Definition 2.10 (Chopping discrete intervals). Let / be a discrete interval, i.e., I = [l,n] 
for some Z, re G L or I = 0. Then I = T Qp if and only if TuP = I, P ClP = 0, and both 
7^ and P are discrete convex intervals, which implies max(/^) + 1 = min(7^) or 7^ = 0 or 

P = 0 . 

We define the following relations on views to have a consistent description of vertical 
and horizontal chopping operations. 

Definition 2.11 (Relations of Views). Let Vi, V 2 and V be views of a snapshot TS. Then 
V = ViG V 2 if and only if V = (L, X,E),L = LiGLa, Vi = and V 2 = . Furthermore, 

F = Ri G R 2 if and only if F = (L, [r,t],E) and there is an s G [r,f\ such that Fi = F[^s] 
and F 2 = F[^^t]. 

To abstract from the borders of real-valued intervals during the definition of the seman¬ 
tics, we define the following norm giving the length of such intervals. This notion coincides 
with the length measurement of DC |ZHR91] . We also define the cardinality of discrete 
intervals to be their length. 

Definition 2.12 (Measures of intervals). Let Ir = [r,t] be a real-valued interval, i.e. r, t G 
M. The measure of Ir is the norm \\Ir\\ = t — r. For a discrete interval Ir, the measure of 
Id is simply its cardinality \Id\- 

With the definition of measures, we can give the reason for the need of Def. 12.101 The 
smallest intervals in horizontal direction are point-intervals, e.g. 7 = [r, r] for some r G M. 
The measure of 7 is 1|7|| = 0. In contrast, if the smallest intervals of lanes were also point- 
intervals, i.e., sets of the form {re}, their measure would be |{re}| = 1. However, with the the 
empty set as the smallest interval of lanes, the measures behave similarly for both directions. 

We employ three sorts of variables. The set of variables ranging over car identifiers is 
denoted by CVar, with typical elements c and d. For referring to lengths and quantities of 
lanes, we use the sorts RVar and LVar ranging over real numbers and elements of the set of 
lanes L, respectively. The set of all variables is denoted by Var. To refer to the car owning 
the current view, we use the special constant ego. Furthermore we use the syntax i for the 
length of a view, i.e., the length of the extension of the view and ui for the width, i.e., the 
number of lanes. For simplicity, we only allow for addition between correctly sorted terms. 
However, it is straightforward to augment the definition with further arithmetic operations. 
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Definition 2.13 (Syntax). We use the following definition of terms. 

9 ■.:= n\r \ ego \ u \ i \ oj \ 6i + 62., 

where n € L, r E R and u € Var and 9 i are both of the same sort, and not elements of 
CVar U {ego}. We denote the set of terms with 0. The syntax of the extended multi-lane 
spatial logic EMLSL is given as follows. 

(p ::= _L I 6*1 = 02 I reic) I elic) \ <pi ^ <1)2 \'^z • (pi \ pi ^ <1)2 \ I Mp 

Pi 

where M € {□^(c), □c(c), ^wd c(c),Cwd r(c),nr}, c G CVar U {ego}, z G Var, and 0i,02 G © 
are of the same sort. We denote the set of all EMLSL formulas by <1>. 

Definition 2.14 (Valuation and Modification). A valuation is a function 
I/: VarU{ego} —lURUL. We silently assume valuations and their modifications to respect 
the sorts of variables. For a view V = (L, X, E), we lift v to a function vy evaluating terms, 
where variables and ego are interpreted as in v, and nv{(i) = ||V|| and nv{uj) = \L\. The 
function + is interpreted as addition. 

Definition 2.15 (Semantics). In the following, let 6i be terms of the same sort, c G CVarU 
{ego} and z G Var. The satisfaction of formulas with respect to a traffic snapshot TS, a 
view V = (L, X, E) and a valuation v with v(ego) = E is defined inductively as follows: 


TS, V, n 


T 


for all 

TS, V, n 

TS, V, n 

N 

01 = 02 


nv{9i) 

= ny(92) 

TS, V, n 

N 

re(c) 


|L| = 1 

and A 1 > 0 and 





resv{v 

(c)) = L and X = leny(n(c)) 

TS, V, n 

N 

cl(c) 


\L\ = l 

and A 1 > 0 and 





clmy{v 

'(c)) = L and A = leny{i/{c)) 

TS, V, n 

N 

Pi p2 


TS,V,, 

0 \= pi implies TS,V,v \= p 2 

TS, V, n 

N 

Mz* p 


Vo G I 

U R U L • TS, V,v ® {z ^ a] \= p 

TS, V, n 

N 

Pi ^ p2 


3Vi,V2 

• V = Vi 0 V 2 and 





TS,Vi, 

^ pi and TS, V 2 , n \= p 2 

TS, V, n 

N 

p2 

Pi 


3Vi,V2 

• V = Vi 0 V 2 and 





TS,Vy 

^ pi and TS, V 2 , n \= p 2 

TS, V, n 

N 

Or{c)P 


VTS'» 

TS - ^ ^-\tS' implies TS', V,i' \= p 

TS, V, n 

N 

^c(c) P 


yTS', n • TS^^^^^^^TS' implies TS', V,v^p 

TS, V, n 

N 

l^wd c{c)P 


yTS'* 

TS - ^ ^ ^^TS' implies TS'\= p 

TS, V, n 

N 

Dwd r{c)P 


VTS', n • TS implies TS', V,n ^ p 

TS, V, n 

N 

Orp 


yTS',t 

• TS ^TS' implies TS', mvTj-% {V), v \= p 
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Observe that views are only moved whenever time passes between snapshots. In addi¬ 
tion to the standard abbreviations of the remaining Boolean operators and the existential 
quantifier, we use T = -i_L. An important derived modality of our previous work [HLORlTj 
is the somewhere modality 


(</>) = 


T 


T 


-T. 


Further, we use its dual operator everywhere. We abbreviate the modality somewhere 
along the extension of the view with the operator Or, similar to the on some subinterval 
modality of DC. 


[0] =-1 (-,0) OrO = "r^O^T = “'0r“'0 

Likewise, abbreviations can be defined to express the modality on some lane. Further¬ 
more, we define the diamond modalities for the transitions as usual, i.e., 0*0 = -'□*-'0, 
where * € {r(c), c(c), wd r(c),wd c(c),t}. 

In the first definition of MLSL, we included the atom free to denote free space on the 
road, i.e., space which is neither occupied by a reservation nor by a claim. It was not possible 
to derive this atom from the others, since we were unable to express the existence of exactly 
one lane and a non-zero extension in the view. However, in the current presentation, free can 
be defined within EMLSL. Observe that a view of non-zero extension can be characterized 
by £ > 0 = = 0). 

free = £>0Aa; = lAVc« □£(-'c/(c) A -'re(c)) 

Furthermore, we can define i < r = = r ^T) and use the superscript to abbre¬ 

viate the schema g) l\i = r. For reasons of clarity, we will not always use this abbreviation 
and write out the formula instead, to emphasize the restriction. 

As an example, the following formula defines the behavior of a safe distance controller, 
i.e., as long as the car starts in a situation with free space in front of it, the formula demands 
that after an arbitrary time, there is still free space left. 

( bJ = X \ / / bJ = X 

re (ego)free ^ Or re{ego)^free 
bb = y ) \ \ bj = y 

We have to relate the lane in both the antecedent and the conclusion by the atoms 
bj = X and bj = y respectively. If we simply used (re(ego) ^ free), it would be possible for 
the reservations to be on different lanes, and hence, we would not ensure that free space 
is in front of each of ego’s reservations at every point in time. However, the formula does 
not constrain how the situations may change, whenever reservations or claims are created 
or withdrawn. 

Observe that it is crucial to combine acceleration and time transitions into a single 
modality Dt-. Let ego drive on lane m with a velocity of u. If we only allowed for the 
passing of time, this formula would require all cars on m in front of ego to have a velocity 
Vf > V, while all cars behind ego had to drive with Vb < v. Hence the evolutions allow for 
more complex behavior in the underlying model. 

Like for ITL |Mos85| or DC |ZHR91] . we call a formula flexible whenever its satisfaction 
is dependent on the current traffic snapshot and view. Otherwise the formula is rigid. 
However, since the spatial dimensions of EMLSL are not directly interrelated, we also 
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distinguish horizontally rigid and vertically rigid formulas. The satisfaction of the former 
is independent of the extension of views, while for the latter, the amount of lanes in a view 
is of no influence. If a formula is only independent of the current traffic snapshot, we call 
it dynamically rigid. 

Definition 2.16 (Types of Rigidity). Let (/> be a formula of EMLSL. We call 4> dynamically 
rigid, if it does not contain any spatial atom, i.e., re(c) or cl{c) as a subformula. Furthermore, 
we call 4> horizontally rigid, if it is dynamically rigid and in addition does not contain I as 
a term. Similarly, 4> is vertically rigid, if it is dynamically rigid and does not contain u as 
a term. If 4> is both vertically and horizontally rigid, it is simply rigid. 

Lemma 2.17. Let (f> by dynamically rigid and (j)H ((t’v) be horizontally (vertically) rigid. 
Then for all traffic snapshots TS, TS', views V, Vi, V 2 and valuations u, 

(1) TS,V,v^(t>iffTS',V,v'^cf 

(2) Let R = Vi 0 R 2 . Then TS, V,n ^ cfn iff TS, (for i&{l,2}). 

(3) Let R = Vi 0 -R. Then TS, V,u ^ (fy iff TS, (for i£{l,2}). 

Proof. By induction on the structure of EMLSL formulas. D 


3. Undecidability of pure MLSL 

In this section we give an undecidability result for the spatial fragment of EMLSL, i.e., we 
do not need the modalities for the discrete state changes of the model or the evolutions. 
We will call this fragment spatial MLSL, subsequently. We reduce the halting problem of 
two-counter machines, which is known to be undecidable |Min67j . to satisfaction of spatial 
MLSL formulas. 

Intuitively, a two counter machine executes a branching program which manipulates a 
(control) state and increments and decrements two different counters ci and C 2 . Formally, 
two counter machines consist of a set of states Q = {qo,... ,qm}, distinguished initial 
and hnal states qo,qfin € Q and a set of instructions I of the form shown in Tab. [T] (the 
instructions for the counter C 2 are analogous). The instructions mutate configurations of 
the form s = (qi, 01 , 02 ), where qi G Q and ci, C 2 G N into new conhgurations: 


Table 1: Instructions for counter ci of a two-counter machine 


s 

Instruction 

s' 

(q,ci,c2) 

(q,o,c2} 

(q, 0 + 1, 02 ) 

q-^qj 

q-^qj,qn 

q^qj,qn 

{qj,ci + 1 , 02 ) 
{qj,0,C2) 

{qn,C, 02) 


An run from the initial configuration of a two-counter machine {Q, qo, qpn, I) is a se¬ 
quence of configurations {qo, 0,0)-^ ... -T-{qp+i, Cp+i, c'pj^i), where each ij is an instance of 
an instruction within I. If qp+i = qpn, the run is halting. 

We follow the approach of Zhou et al. |ZHS93] for DC. They encode the configurations 
in recurring patterns of length 4fc, where the first part constitutes the current state, followed 
by the contents of the first counter. The third part is filled with a marker to distinguish the 
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counters, and is finally followed by the contents of the second counter. Each of these parts 
is exactly of length k. 

Zhou et al. could use distinct observables for the state of the machine, counters and 
separating delimiters, since DC allows for the definition of arbitrary many observable vari¬ 
ables. We have to modify this encoding since within spatial MLSL we are restricted to two 
predicates for reservations and claims, and the derived predicate for free space, respectively. 
Furthermore, due to the constraints on EMLSL models in Def. 12.11 we cannot use multiple 
occurrences of reservations of a unique car to stand, e.g., for the values of one counter. 
Hence we have to existentially quantify all mentions of reservations and claims. We will 
never reach an upper limit of existing cars, since we assume I to be countably infinite. 

The current state of the machine qi is encoded by the number of lanes below the current 
configuration, the states of the counters is described by a sequence of reservations, separated 
by a single claim. To safely refer to the start of a configuration, we also use an additional 
marker consisting of a claim, an adjacent reservation and again a claim. Each part of the 
configurations is assumed to have length k. Free space separates the reservations within one 
counter from each other and from the delimiters. Intuitively, a configuration is encoded as 
follows: 

marker free, re cl free, re cl 

i - ^^^^- 

0 -^^- 


5k 

To enhance the readability of our encoding, we use the abbreviation 

marker = 3c • cl{c) ^ 3c • re(c) ^ 3c • cl{c) 
to denote the start of a configuration. 

Like Zhou et ah, we ensure that reservations and claims are mutually exclusive. We 
do not have to consider free , since it is already defined as the absence of both reservations 
and claims. Observe that we use the square brackets to denote the everywhere modality (cf. 
Section [2]). 

mutex = Vc, d • [cl{c) — >■ -^re{d)) A (re(c) — >■ ^cl{d)] . 

The initial marking [q^, 0,0) is then defined by the following formula. 

/ h3c*c/(c)] \ 

init = I marker^ ^ free^ {3c • cl{c))^ ^ free^ ^ {3c • cl{c))^ 1 ^T 

V o; = 0 J 

We have to ensure that the configurations occur periodically after every 5k spatial 
units. Therefore, we use the following schema Per{T>). Observe that we only require that 
the lanes surrounding the formula V do not contain claims. This ensures on the one hand 
that no configuration lies in parallel with the formula P, since well-defined configurations 
have to include claims. On the other hand, it allows for satisfiability of the formula, since 
we do not forbid the occurrence of reservations, which are needed for the claims within the 
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configurations. 

/ [-'3c«c/(c)] \ / [-'3c»cl{c)] 

Per{V)= V ^£ = 5 /c ^ £ = 5 / c - V 

y [-'3c«cZ(c)] j y [-PiC* cl{c)] 

Note that we did not constrain on which lane the periodic behavior occurs. This will 
be defined by the encoding of the operations. 

Now we may define the periodicity of the delimiters and the counters. Here we also 
have to slightly deviate from Zhou et ah: we are not able to express the statement “almost 
everywhere free or re(c) holds,” directly. We have to encode it by ensuring that on every 
subinterval with a length greater than zero, we can find another subinterval which satisfies 
free or re(c). This expresses in particular, that no claim may occur, due to the mutual 
exclusion property. 

periodie = Per{{n£{i > 0 —> T ^ {free V 3c • re(c)) ^ T) A cj = 1)^) 

A Per((3c • el{c))^) A Per{marker^) 



Cl 

We turn to the encoding of the operation qi —> qj, i.e., the machine goes from qi to 
qj and increments the first counter by one. Similar to Zhou et ah, we use encodings of the 
form -'(X’l ^ meaning “whenever the beginning of the view satisfies "Di, the next part 

satisfies T> 2 -” 

The formula Fi copies the reservations of counter one of state qi to the corresponding 
places in counter one in state qj. 


marker^ ^£ < k ^ 3c • re{c) ^ ((3c • re(c) ^ T) A h = 5/c) 


- 1 ^ ^ = 0 V (3c • re(c) ^ T) j j 

We use a similar formula Ffree to copy the free space before the reservations. 

The formulas F 2 and T 3 handle the addition of another reservation to the counter. We 
have to distinguish between an empty counter and one already containing reservations. 


F 2 = marker^ ^ free^ = bk 


T ^ {free ^ 3c • re(c) ^free)^ 
UJ=j 


F 3 = marker^ ^ £ < k ^ 3c • re{c) ^ {{free ^ 3c • cl{c) ^T) A£ = 6k) 


T ^ {free ^3c • re{c) ^ free ^3c» el{c))^ 

V w = i J 

In addition, we need formulas which copy of contents of the second counter to the new 
configuration, similar to Pi. 
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Let Ic be the set of the machine’s instructions and F{i) be the conjunction of the 
formulas encoding operation i and its final state. Then 

halt{C) = init A periodic A mutex A A 0^ 

i&ic 

If and only if halt{C) is satisfiable, the machine contains a halting run. This holds since 
only configurations may contain claims (as defined in the formalization of periodicity), and 
whenever the machine reaches its final state, it halts. Hence the halting problem of two 
counter machines with empty initial configuration reduces to satisfiability of spatial MLSL 
formulas. 

Proposition 3.1. Let C be a two eounter machine. Then C has a halting run if and only 
if halt {C) is satisfiable. 

Proof. 

“if”. 

Let TS,V,u ^ halt{C), where V = {L,X,E). Observe that all variables occurring in 
halt{C) are existentially quantified, and hence we may ignore the values of u. We divide X 
into parts of length 5k, i.e., we have |X| = s ■ 5k + r, where 0 < r < 5k, which means 

X = [a, 6] = [^ [a + (d — 1) • 5k, a + d ■ 5k]U [a + s ■ 5k, b]. 

d=l 

We denote Ud=i [a + (d — 1) • 5k, a + d ■ 5k] by Xg. Let X' = [a + (d' — 1) • 5k, a + d' ■ 5k] 
and X” = [a + d' • 5k, a + (d' + 1) • 5k] for some 0 < d' < s. Now assume that at X', lane m 
contains a configuration, i.e., 

TS, \= marker^ ^ > 0 —^ T ^ {free V 3c • re(c)) ^ T) A w = 1)^ 

^ 3c • cl{c)^ ^ {^e{f > 0 —)■ T ^ {free V 3c • re(c)) ^ T) A cu = 1)^ 

^ 3c • cl{c)^ 

By interpreting periodic on TS, Vx'xjX" we get that there is a lane m' such that 
TS, ^ 1= marker^ ^ {^(.{f- > 0 T ^ {free V 3c • re(c)) ^ T) A w = 1)^ 

^ 3c • el{c)^ ^ {T\i{(. > 0 —T ^ {free V 3c • re{c)) ^ T) A cu = 1)^ 

^ 3c • el{c)^ 

Furthermore, periodie prevents that there exists a lane different from m! containing 
such a situation, since for it to hold, all other lanes are forbidden to contain claims at X". 
Hence we have exactly one configuration on all parts [a + (d — 1) • 5k, a + d ■ 5A:]. 

We can extract a run for C from TS, V from halt{C) by induction on d as follows. 

Let d = 1. Then init ensures that on lane 0, there is a configuration with no reservations 
between marker and the first claim and between the first and the second claim. Hence, we 
have a run starting at and ending with (go, 0 , 0 ). 

As the induction hypothesis, we assume that for 1 < d < s, we can extract a run 
-R = (QOi 0, 0)^*{qi, Cl, C 2 ) from TS, Vx^- For d + 1, we know by the arguments above, that 
there exists exactly one configuration on [a + d • 5/c, a + (d + 1) • 5k]. Since C is deterministic, 


3c • cl{c) 
uj = fin 



14 


SVEN LINKER AND MARTIN HILSCHER 


for the configuration on lane i, there is at most one set of formulas applicable. We only 
show the case for instruction incrementing counter one. 

Let Fi, F 2 , F 3 , Ffree be the applicable formulas, which we will interpret on X^+i \ Xd_i, 
i.e. the interval = [a + (d — 1) • 5/c,a + (d + 1) • 5A:]. This interval is exactly lOA: 
long and starts with marker^ on lane i. Then Fi states that for each reservation in the 
representation of the first counter, i.e., where I < k re{c) holds, we find a reservation 

on lane j exactly 5k space units onwards. The outermost negation ensures that each possible 
chop point is considered, in particular the chop points arbitrarly close to the end points 
of the reservations. F^ee ensures in a similar way, that for each free space in front of a 
reservation in this representation, we have free space exactly 5k space units onwards on 
lane j. Hence, all reservations and the free space in between is present on lane j. 

Now we consider two cases. When there is no reservation between the marker and the 
first single claim, then F 2 replaces this free space by a reservation enclosed by free space, i.e., 
the end configuration of the run was (gj, 0 ,C 2 ) and the resulting configuration is {qj, 1 , 02 ). 
The second counter was copied like the first. 

If there was a reservation before the last free space, then T 3 replaces this last free space 
similarly by a reservation enclosed by free space on lane j, i.e., the configuration {qi, 01 , 02 ) 
is changed to {qj,oi + 1 , 02 ). Hence, in both cases we defined the increment of counter 1 
together with a state change from qi to qj, which is by construction an instruction of C, 
hence R^{qj, 01 , 02 ) is a valid run of C. The other cases are analogous. 

Now if we did extract a run from the satisfying model of halt{C), we have two possibili¬ 
ties. First, if r = 0, then the configuration at step s is the last of R. Then the last conjunct 
of halt{C) ensures, that a final state was reached, hence ii is a halting run. 

Otherwise, if r > 0, then similarly it is ensured that on this last part of V, the lane 
corresponding to the final state has been reached. Since also the last change has to be 
initiated by a formula as before, there is an instruction to complete i? to a halting run. 

“only if”. 

Let R = {qo,0,0)^*{qfin,ci,02) be a halting run of C with d + 1 configurations, i.e. 
Qd = Qfin- We create a model TS,V with V = (L,X,E) with |X| = (d + 1) ■ 5k and 
l-^l = IQI + 1 as follows. For a configuration (q^, 01 , 02 ) at step d', we define three cars 
C'd', 0 ) C'd', 1 ) C'd ',2 with 

pos{Cd',e) = d' ■ 5k + e ■ /c/3 for e G {0,1,2} 

res{Cd'fi) = res{Cd', 2 ) = {i + 1} 
res{Cd',i) = {/} 
olm{Cd',o) = clm{Cd', 2 ) = {/} 

^E{Cd',e,'TS) = k/3 for eG {0,1,2} 

These cars satisfy marker^. For the claims marking the end of counter 1 and 2 respec¬ 
tively, we define C'rf /^4 and Cd'fi as follows. 

pos{Cd'^4) = d' ■ 5k + 2k 
pos{Cd'fi) = d' ■ 5k + 4:k 
res{Cd',4) = res(Cd'fi) = {/ -M} 
olm{Cd',4) = clm{Cd'fi) = {/} 

^E{Cd',4,TS) = klEiCd'fi) = k 
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For the definition of the first counter, we need the maximum value max of both counters 
on the whole run. Then we define a sequence of cars where 1 < x < ci if ci > 0. 

For each such car we set 


POs{Cd',3,x) 

res{Cd',3,x) 

dm{Cd',3,x) 


d' ■ 5k + 3k + 

{^} 

0 


(2x + 1) 


) 

1 + 2 • max J 


1 + 2 • max 
Otherwise, no such sequence is added. 

For the second counter, we define a similar sequence Cd'^^^x with 1 < x < C2 if C2 > 0. 
If we create such sets of cars for each configuration, the formula halt{C) is satisfied, if 
the run is halting. Q 



The main theorem of this section is a corollary of Prop. 13.11 


Theorem 3.2. The satisfiability problem of spatial MLSL is undecidable. 


Even though we used the full power of spatial MLSL in the proof, i.e., we used both (. 
and w, the proof would be possible without using the latter. For that, we would not be able 
to encode the state of the configuration in the lanes, but by a similar way to the markers in 
the formulas. For example, the formula (3c • cl{c) ^ 3c • re(c) ^ 3c • cl{c))^ would denote 
the state qo, and with another iteration of re(c), it would denote qi and so on. If we remove 
the references to more than one lane in each of the formulas above, the reservations and 
claims would already imply that only one lane exists, and hence, the use of uj within the 
abbreviation free could be omitted. This shows that spatial MLSL is already undecidable 
even if we only use i. 


4. Labelled Natural Deduction for EMLSL 


Despite the negative decidability result of the previous section, we define a system of labelled 
natural deduction |Gab96( IBMV98t |Vig00| for the full logic EMLSL. That is, the rules of 
the deduction system do not operate on formulas (j), but on labelled formulas w: where 

tt) is a term of a labelling algebra and cj) \s a, formula of EMLSL. They may connect the 
derivations of formulas and relations between the terms w to allow for a tighter relationship 
between both. The labelling algebra is more involved than for standard modal logics, since 
EMLSL is in essence a multi-dimensional logic, where the modalities are not inter definable. 
Obviously, the spatial modalities can not be defined by the dynamic modalities and vice 
versa. Eurthermore, neither can the dynamic modalities be defined by each other in general. 
Consider, e.g., the modalities I31r(c) aiid 00(0) • Both of these modalities rely on different 
transitions between the models, which are only indirectly related. 

The labels of the algebra consist of tuples T<S, V, where similar to the semantics, TS is 
the name of a traffic snapshot and V a view. The algebra is then twofold. The relations of the 
form V = Li ® V2 and V = Ei © V2 define ternary reachability relations between views for the 

spatial modalities. Relations between snapshots and views, e.g., TS, V ^ > T S', V describe 
the behavior of transitions. The relations within the labelling algebra for traffic snapshots 
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directly correspond to the dynamic modalities. For example, we have TS,V - ^ - > TS',V, 

whenever there exists an n G N such that TS - ■ ’ - > 'TS'. 

We do not give a deduction system for the transitions between snapshots, since the 
conditions needed to hold between them are of a very complex nature, i.e., they are definable 
only with the power of full first-order logic with functions, identity and arithmetic. Hence 
we would not achieve a system with a nice distinction between the relational deductions 
and the deductions of labelled formulas |BMV98[ Vig00| . Furthermore, the possiblity of a 
transition may be dependent on properties of cars at any place within the traffic snapshot. 
This means that we would have to specify global dependencies, while all logical operations 
we have at hand are only able to denote local properties, i.e., properties of cars visible in the 
current view. Instead we simply assume the existence of the relations between snapshots 
whenever needed. That is, we will often have, e.g., the existence of a transition in our set of 
assumptions. This is sensible, since we often want to reason about the outcome of a specific 
transition (see, e.g.. Lemma l4.6p . However, we give simple rules defining that chopping of 
a view into two subviews is always possible. 


Definition 4.1 (Labelled Formulas and Relational Formulas). Let T5 be a name for a 
traffic snapshot, V a name for a view and (p a formula according to Definition 12.131 Then 
TS,V: 4> is a labelled formula of EMLSL. Furthermore, we use two types of relational 
formulas. On the one hand, we use T<S, V—^TS', V' to denote the existence of a transition 
with the label a. On the other hand, the formulas V = Li © V2 and V = Vi 0 V2 describe 
that the view V can be horizontally (vertically, resp.) chopped into the views Vi and V 2 . 


To have a meaningful soundness result of the calculus, we relate the semantics of labelled 
formulas with the semantics of normal formulas. Observe that we do not define a completely 
independent notion of models, but only use a valuation for this purpose. This is due to the 
semantic information which is still comprised within the views and traffic snapshots. 


Definition 4.2 (Satisfaction of Labelled Formulas). We say that a valuation u satisfies a 
labelled formula TS,V: written v \=TS,V: (j)\i and only if T5, H, v |= (f. Furthermore, 


i/\^TSuV^TS2,V o 


iy^TSi,V^^^^^TS2,V 


u^TSi,V^TS2,V 


n^TSi,V^^^^^TS2,V 


n ^ TSi,Vi^TS2,V2 



Ts^±^TS2, 

wd c(u(c)) 

TSi - ^-^TS2 

3t»TSi 4> TS 2 and V 2 = mv'Jj-%\{Vi) 


The relational formulas H = Vi © V2 and V = Vi © V2 are independent of the valuation 
at hand, and hence are satisfied whenever Vi and V 2 combined according to Definition 12.111 
result in V. 
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We lift the satisfaction relation also to sets of labelled formulas and relational formulas. 
Let u be a valuation, L a set of labelled formulas and A a set of relational formulas. Then 


1/ ^ A 

44 

Vp € A • 1/ 1= p 

u^F 

44 

V {TS,V: p) 0T»v^TS,V: p 

uh(F,A) 

44 

u 1= F and u \= IS. 

r,A ^r5,R: p 

44 

V 1= (F, A) implies v \=TS^V ■. p 


for all valuations v 


Definition 4.3 (Derivation). A derivation of a labelled formula TS,V : (p from a set of 
labelled formulas T and a set of relational formulas A is a tree, where the root is TS,V: p, 
each leaf is an element of T or A and each node within the tree is a result of an application 
of one of the rules defined subsequently. We denote the existence of such a derivation by 
r,A h TS,V: p. 

Followine: Rasmussen [Ras m, we define predicates for chop-freeness of formulas and 
rigidity of terms and formulas. To increase the deducible theorems, we differentiate between 
vertical and horizontal chop-freeness and rigidity. These properties are especially important 
for the correct instantiation of terms, i.e., for the elimination of universal quantifiers. 


Example 4.4. Consider the formula 

which is a theorem of MLSL, since the length of a view is not changed by chopping vertically. 
If we use classical universal quantifier instantiation and substitute the vertically flexible term 
a; for X, then we would get 

l = oj ( 4 - 1 ) 

Now let R be a view satisfying the antecedent of (14.ip . Then V can be vertically chopped 
such that its length equals its width on both subviews. Now let i = c. Then also u) = c 
for both subviews. Since V consists of both these subviews, V satisfies uj = 2c. But the 
conclusion of (j4.1|] states that V should satisfy lo = £ = c. However, we could of course 
substitute x by the vertically rigid term i. 


We denote vertical (horizontal) chop-freeness by the predicate vcf (hcf) and vertical 
(horizontal) rigidity by vri (hri). The rules for the definition of all four predicates are 
straightforward, since both rigidity and chop-freeness are syntactic properties. All atomic 
formulas are vertically and horizontally chop-free. For 0 being a Boolean operator or the 
horizontal chop ^ , the following rules give vertical chop-freeness. 


vcf((/)) vcf('^i) 
vci{p 0 p) 


vcf 0 I 


vcf(0 0 p) 

vcf(d) 


vcf 0 E 


Yci{p 0 p) 
vcf {p) 


vcf 0 E 


The rules for quantifiers and the horizontal rules are defined similarly. 

For terms, £ is vertically rigid and oj is horizontally rigid. The spatial atoms re(c) and 
cl{c) are neither horizontally nor vertically rigid, since they require the view to possess an 
extension greater than zero and exactly one lane. Equality is both vertically and horizontally 
rigid, as long as both compared terms are rigid. We show some exemplary rules, where 0 
is an arbitrary binary operator. 
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hri((;!)) hri(-i/)) 

hri((/) ® Ip) 


hri ® I 


hri(0 (8> "0) 

hri(0) 


hri g) E 


hri(0 ® tp) 
hri('0) 


hri ® E 


We have only two simple rules for the relations between views. First, we state that 
each view V is decomposable into two subviews. This is true, since we allow for the empty 
view, i.e., the view without lanes or with a point-like extension. We use E to denote 
existential quantification over views. To use the relations between views, we have to be able 
to instantiate views, i.e., we have to introduce a rule for elimination of existential quantifiers 
over views. As a side condition for this elimination rule, we require that TS^V'^'. (p is not 
dependent on any assumption including or V 2 as a label, except for V = ViQ ¥ 2 - The 
rule itself is a straightforward adaptation of the classical rule. Again, we only show the case 
for the vertical relations. 

[F = El © V2] 


EF',F"(F 


V' 0 F") 


VDec 


EF',F"(F = F'eF") 
TS,V3: 0 


TS,V3: 0 


EE 


The intuition of rigidity is formalized in the following rules. Whenever a formula is 
horizontally rigid, the formula holds on all views horizontally reachable from the current 
view. Observe that the traffic snapshot may change arbitrarily, since horizontally rigid 
formulas are also dynamically rigid. The rules for vertically rigidity are similar. 


TS,V: (P 


hri(0) 

TSPVw. 


F = Fi®F2 ^ 
- nn 


TS,V: 0 


hri(0) V = Vi(DV 2 
TS',V2: (p 


TS,Vi-.f 


hri(0) E = Fi ® F 2 
TS',V-. 0 


TS, F 2 : 0 


hri(0) 

TS',V: 


F = Fi © F 2 


Rh 


For the first-order operators, we use the typical definitions of labelled natural deduction 
rules |BMV98] . The only difference lies in the rules for quantification. We may instantiate 
an universally quantified variable with a horizontally (vertically) rigid, if the formula is 
vertically (horizontally) chop-free. If the formula is completely chop-free, we may instantiate 
the variable with an arbitrary term. Similarly, rigid terms may instantiate x in arbitrary 
formulas. In all cases, a side condition for the instantiation is that s respects the sort of x. 


TS,V-'ix*(P hcf(0) 
TS,V: 0[xH^s] 


vri(s) 


VE 


TS,V:\fx»f vcf(0) 
TS,V: 0[xH^s] 


liri(s) 

-^VE 


TS,V:'ix»(P hcf(0) 
TS, F: 0[x s] 


Vcf(0) 


VE 


TS,V:\/x»cP hri(s) 
TS,V-. 0[x s] 


vri(s) 


VE 


The elimination and introduction rules for the chop modalities are adopted from Ras¬ 
mussen |Ras nu, and resemble the rules for existential quantification. We only show the case 
for the horizontal chop, the rules for vertical chopping are obtained straightforwardly, by 
replacing horizontal modalities and relations by the vertical ones. 


[TS, Fi: 0] [TS, F 2 : 0] [F = Fi © F 2 ] 


TS,Vi:<P TS,V2:'ip F = Fi ® F 2 TS,V:(P^fi 

TS,V-.(P^iP 


TS',V'-.x 


TS',V'-. X 


E 
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The chopping of intervals is not ambiguous, i.e., there is a unique view of a certain 
length at the beginning of a view. This is the single decomposition property |Dut95] of 
interval logics and captured in the following rules. Hence when there are two vertical chops 
of a view, and the upper parts are of equal width, we can derive that the same formulas 
hold on the lower parts. Even though we only show the vertical set of rules, similar rules 
hold for the horizontal chopping of views. 

TS,Vi-.(j> rS,V2-.u} = s TS,V^:w = s vri(s) ^ = ^10^2 V = V{eV^^^^ 

TS,VC- ^ 

TS,V2:<P TS,Vi:uj = s r 5 ,E/:w = s vri(s) ^ = ^10^2 V = VleV^^^^ 


The additivity of length and width can be formalized by the following rules. 

TS,Vi:oj = s TS,V2'.ui = t vri(s) vri(t) E = Vi © V2 , y 
TS,V-.uj = s + t 

[TS, Vi:uj = s] [TS, V2:uj = t][V = Vie E2] 


TS,V:Lj = s + t vri(s) vri(t) 

TS',V'-. 0 


TS',V': (j) 


V + E 


The dynamic modalities are defined along the lines of Basin et al. |BMV98] . If a 
transition from the current snapshot is possible, the box modalities may be eliminated and 
if we can prove that under the assumption of a fresh transition a, cj) holds on the now 
reachable snapshot, 0^4) holds. In the Dq, introduction rule, the label 'TS',V' may not 
occur in any assumption TS', V : (j) depends on, with the exception oiTS,VS', V. 


[TS, V^TS', V] 


TS,V^TS',V' TS,V:a^ 4 ^^ TS',V': 4 > 

Ts\v'-.(j) “ r5,E:n„(/) “ 

Finally, we have to define how the spatial atoms behave with respect to occurring tran¬ 
sitions. There are two types of rules in general, stability rules and activity rules. Stability 
rules define which atoms stay true after a snapshot changes according to a certain transition. 
The truth of all reservation and claims of cars not involved in the transition are unchanged. 
Only one stability rule for creating reservations includes the car which is the source of the 
transition. We will show this rule and one example for typical stability. The activity rules 
state how the reservations and claims of cars will change according to the transitions. 

The following stability rules show that whenever a car creates a new claim, the reserva¬ 
tions and claims of other cars are unchanged. We have similar stability rules for the other 
types of transitions. 

TS, V: d(c) TS, V^TS', V TS,V:c^d 

TS',V:cl(c) - 

TS, V: re(c) TS, V^TS', V TS,V: c^d , , 

TS',V:re{c) - 
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The activity rule for c(c) implies two properties. First, a claim may only be created 
when only one reservation exists. Second, the newly created claim resides on one side of 
the existing reservation. Observe that we require the view under consideration to comprise 
both adjacent lanes of the reservation. If we dropped this assumption (i.e., removed the 
subformulas uj = 1), it would be possible for the newly created claim to reside outside of 
the view V, and hence the conclusion would not be satisfied. 


-'(re(c) V cl{c)) A w = 1 
TS,V: re(c) 

-■(refc) V c/(c)) A w = 1 


TS, V^TS', V TS,V: c = d 


c(c) 


-'(re(c) V cl(c)) A cj = 1 cl(c) 

TS\V: re(c) V re(c) 

cl(c) -ifrefc) V cl(c)) Aw = 1 

Activity rules for the creation of reservations in between traffic snapshots are: 


A 


TS,V: d(c) 


TS, V^TS', V 


TS,V: c=d 


TS',V: re{c) 


'■(c), 


Ai 


TS, F: re(c) TS, V^TS', V TS,V:c = d 

TS',V:re(c) ^^2 

The following activity rules define the withdrawal of reservations and claims. 


TS,V: 


re(c) 


re(c) 


TS, f ”"* "'"‘^ TS', V 


TS,V: c = d 


wd r(c' 


TS',V: V 

->re{c) re{c) 


TS, V^^^^-^TS', V 
>A TS',V: ^cl{c) 


wd c(c) 


>A 


Note that we cannot define rules relating the spatial situations along evolutions of 
time. This is due to the fact that we lost all knowledge about the concrete dynamics of 
the underlying semantics. Hence all constraints of the cars’ behaviour have to be explicitly 
defined within EMLSL, like the exemplary requirement for a safe distance controller in 

Sectia 

We also have rules for “backwards” reasoning, i.e., if our current snapshot is reach¬ 
able from another, we may draw conclusions about the originating snapshot. Again, we 
differentiate between activity and stability rules (omitted here). 


TS', V : re(c) TS, V^TS', V TS,V:c = 


TS',V: cl(c) 


TS,V: re(c) V d(c) 
TS, V^TS', V 


TS,V: c = d 


TS',V-. 


OJ = 1 

re[c) 

OJ = 1 


TS,V-. -d(c) 


TS, V '^'^\ tS', V 


/(c) 


c(c) 


TS,V: c = d 


. wd r(c) . 

<—^A 


re(c) w = \ 

TS,V: re(c) V re(c) 

w = 1 re(c) 

Observe that we can not reason backwards along withdrawals of claims, since these may 
be taken anytime, even when no claim previously existed (cf. Def. | 
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Theorem 4.5. The calculus of labelled natural deduction for EMLSL is sound. 


Proof. Since we do not have any inference rules for the transitions between snapshots and 
the rules for relations between views are straightforward, we only have to consider the case 
of derivations of labelled formulas. 

We proceed by induction on the length of derivations to show F, A h T5,1^: (f implies 

r,A ^r5,y: </>. 

If TiS, y: G r, then trivially F, A \=TS,V ■. </>. 

For the induction step, assume that for all smaller derivations Fj, Aj h TSi,Vi: (j)i, we 
already have Fj, Aj |= TSi, Vi: </>*. 

We only show some exemplary cases, for the rigidity rules, the elimination of the univer¬ 
sal quantifier. Proofs for the other rules are either analogous, or can be straightforwardly 
infered from the work of Rasmussen [Ras nu, Basin et al. |BMV98] and Vigano |VigOO| . 
However, we explicitly prove the soundness of all activity rules for reasoning forwards and 
backwards along traffic transitions. 

The last step in the derivation is an application of Rh- Then (p is horizontally rigid. 
Let F, A h TS, V : 4>, A' = {V = Vi 0 V2} U A and u |= (F, A') and hence also u \= (F, A). 
By the induction hypothesis, we have v \= TS,V : (p. By Def. 14.21 we get TS,V,u \= (p. 
Now we may use Lemma 12.171 twice, once to get TS', \= (p (since (p is also dynamically 

rigid) and the second time to get TS',Vi,u \= (p. Finally, we have u |= TS',Vi: (p. The 
other cases of this rule are similarly proven. 

The last step in the derivation is an application of the first variant of VE. Then (p is 
horizontal chop free and s is vertically rigid. Let F, A h TSjV: • (p and u |= (F, A). 

By the induction hypothesis, we have u \= TS,V: \/x • (p, i.e., TS^V^u \=\/x • (p. Since (p 
is horizontal chop free, it may at most contain a vertical chop. However, the value Py(s) 
is constant on all vertical subviews of V, hence also for all subformulas of (p- All in all, 
TS,V,i' \= (p[x !->■ s], i.e., u ^ TS,V: (p[x i-A s]. The other variants of the quantifier 
elimination are analogous. 


The last step in the derivation is an application of 


wd r(c) . 

-^A. Then let 


Fi,Ahr>S,F: 


re(c) 

re(c) 


and F 2 , A\- TS,V: c 


d, 


with Fi U F 2 = F and T5, V - ^-^TS', R € A, which by the induction hypothesis implies 

both 

Ti,AVTS,V: and T 2 , A V rS,V: c = d. 

' re(cj 

We assume u \= (F, A), i.e., v \= (Fi, A) and v \= (F 2 , A). Hence 

u^rS,V: , n^TS,V: c = d and u^TS, R , V. 

re{c) 

Let R = Ri 0 R 2 , such that \= re{c) and T5, R 2 ,p |= re(c) with R = (Li, Xi, E). 

We know that there is a no, such that ES - ^ ° - \ es'. Let no G Li- Then by 

Definition 12.21 we have that res'y^{v{d)) = 0, which means T<S',R 2 ,n ^ Te(c), that is, 
T<S',R 2 ,n 1= -<re(c). Furthermore, we have uq G res'y^{v{d)), i.e., TS',Vi,u \= re{c). By 
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definition of the vertical chop, we get 


TS',V,iy^ 


re{c) 

-'re(c) 


and hence 




re{c) ^ -<re{c) 
^re{c) re{c) 


If riQ £ L 2 , the reasoning is analogous. All in all, we get that 




re{c) ^ -^re{c) 
^re{c) re{c) 


r(c) 

The last step in the derivation is an application of-^-A. Then let Ti, A h T5, y: c/(c), 

r2,A h TS,V: c = d, with Ti ur2 = T and TS,V-^^TS',V G A. By the induction 
hypothesis we get Ti, A |= TS,V: ci(c), r2, A |= TS,V : c = d. Now assume u \= (T, A). 

That is, v(c) = v{d) and TS,V,i' \= cl{c) and TS ^ Thus clmv{i'{c)) = L, where 

L are the lanes of V. By Definition 12.21 we get that res'{v{d)) = res{i'{d)) U clm{v{d)) 
and, since u(c) = v((i), res'y{v{c)) = clmy(u(c)) = L. So TS',V,i' \= re(c) and by that 
u 1= TS', V: re(c). 

Let the last step of the derivation be an application of -^A. Furthermore, let 

T, A h TS, V^^^-^TS', y, i.e. TS, V^^^^-^TS', y E A. Hence TS^^^-^^^^TS' is true. 
That is, clm'{i>{c)) = 0 which implies TS', V,v \= ^d{c). Thus u \= TS', V: ^d{c). 

Let the last step of the derivation be an application of-^-A. Furthermore we assume 

-'(re(c) V d{c)) A w = 1 
Fi,Ahr5,y: re(c) 

-^{re{c) V d{c)) A w = 1 


F2,A h TS,V: c = d and TS,V - >TS',V G A. Furthermore, let F = Fi U r2 and 

u \= (F, A). That is, for V = {L,X,E), we know that L contains exactly three elements, 
say L = {ni,n2,n3} and that res{v{c)) = {71-2} and dm{u{c)) = 0. Now consider TS'. 

Since u |= TS,V^^^TS',V, we have TS ^ - '^^^'^’"' - \ tS' for either n' = ni or n' = ns. 
Furthermore, due to n(c) = i'{d) we know that dm'{i'{c)) = {n'}. Say n' = ni. Then 
7-5'^ y{ml 

,v \= d{c). Note that the extension of yin'll has to be greater than zero, since 
the subview yl”^} already satisfies re(c). Due to res = res', we get 

^(re(c) V d(c)) A w = 1 
TS',Vv\= re{c) 

d{c) 

-'(re(c) V d{c)) A a; = 1 
^ u^TS',V: re{c) 

d{c) 

-'(re(c) V d{c)) A cj = 1 d{c) 

u \= TS',V: re(c) V re(c) 

d(c) -'(re(c) V d(c)) A w = 1 

The case where n' = 723 is similar. 
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c(c) 

The last step of the derivation is an applicaton of Then Ti, A h TS\V: cl{c), 


r2,A h TS,V: c = d, with Ti U r2 = T and TS,V - >TS',V G A, which by the 

induction hypothesis implies both Ti, A |= TS',V: cl{c) and r2, A |= TS,V: c = d. We 
assume u |= (TijA) and u |= (r2,A). Since c = d is dynamically rigid, we also have 
u \= TS',V: c = d hy Lemma [2.171 So uy(c) = vv{d)- There can only be a transition 
creating a new claim for Py(c) from TS to TS', if clm{vy{c)) = 0 on TS. Hence, for each 
view V, TS, V, V \= ->cl{c). Hence in particular TS,V,u \= -<cl{c), i.e., v ^ TS, V: ^cl{c). 


Let the last step of the derivation be an application of < 


wd r(c) 


A and let 


CJ = 1 

ri,Ahr<S',H: re(c) , r2, A h r<S', H : c 

CJ = 1 


d and TS,V 


wd r(d) 


>r<s' € A. 


Now assume u \= (Ti U r 2 . A). By the induction hypothesis, we get 

OJ = 1 

V 1= TS', V: re(c) and u |= TS', V: c = d. 

UJ = 1 


By that we know that the set of lanes L of H = {L,X,E) contains exactly three elements, 
say L = {ni,n 2 ,n^} and by the semantics of the transitions (see Def. 12.2p and EMLSL (see 
Def. I2.15p . we get res'{v{c)) = {u2}- The transition exists only, when |res(u(c))| = 2 and 
n2 G res{v{c)), so there are only two possibilities (due to the sanity conditions of Def. 12.11) : 
ni G res{v{c)) or ns G res(n(c)). Say ni G res(n(c)). Then 


and hence 


TS,V,u^ 


u = 1 
re{c) 
re{c) 


re{c) 

V \=TS,V ■. re(c) 

LO = 1 


OJ = 1 
V re(c) 
re(c) 


The case for ns G res(n(c)) is similar. 


/(c) 


Let the last step in the derivation be an application of T^A and let furthermore 

Ti, A h TS', V: re{c), r2, A h TS, V: c = d and TS, V-^^TS', H G A. By the induction 
hypothesis, we get Ti, A ^ TS', V: re{c) and r2, A |= TS, V: c = d. Now let T = Ti U r2 
and u \= (T, A). We then know that res'y{c) = {n} where V = (L, X, E) with L = {n} and 
||A|| > 0. By Def. 12.21 and n(c) = v{d) we get that res'{v{c)) = res{v{c)) U clm{v{c)). If 
n G res(n(c)), we have TS,V,v \= re{c), which implies TS,V,v \= re{c) V cl{c). Similarly, 
if n G dm{u{c)), we get TS,V,iy \= cl{c), which implies TS,V,v \= re{c) V cl{c). That is, 
v \=TS,V ■. re{c) V d(c). □ 


Since models of EMLSL are based on the real numbers, we cannot hope for a complete 
deduction system. Even if we used an infinite and dense field instead of the real numbers, 
it is in no way obvious, whether the resulting proof system would be complete. Typical 
approaches for constructing maximally consistent sets |Vig00| are not directly applicable, 
since they may result in an infinite number of lanes in the canonical model. 
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As an example, we derive a variant of the reservation lemma, which we proved informally 
in our previous work |HLORlT] . 

Lemma 4.6 (Reservation). A reservation of a care observed directly after c created a reser¬ 
vation, was either already present or is due to a previously existing claim. I.e., assuming 

TS,V-^^TS' ,V, the formula {re{c) V cl{c)) •(-)• □r(c)Te(c) holds. Hence 

{TS, V^TS', V} hTS,V: (re(c) V c/(c)) fA □r(c)re(c). 

Proof. The existence of the transition is of major importance for the elimination of the box 
modality in the proof using the backwards reasoning rule. For reasons of simplicity, we 
use a variant of the stability rules and activity rules, where d in the transition has been 
replaced by c, and hence we do not need the extra assumption of TS,V: c = d. We use 
two auxiliary derivations IIs and IIa, which allow us to infer the existence of a reservation 
on the snapshot after taking a transition. 

Us: [r5, F: re(c)]i [TS, V^TS', Fja 

TS',V-. re(c) 

Ha: [TS,V: cljcfi [TS,V^TS',V]2 

TS',V: re{c) 

Derivation of h TS, V: (re(c) V cl(c)) —>■ □r(c)Te(c). 

IIs IIa ITS,V: re(c) V cl(c )]3 


VEi ■ 


r(c) 


TS',V: re(c) 
TS,V: □r(c)re(c) 


■ '^r{c)h 


TS,V : (re(c) V c/(c)) —>■ □r(c)re(c) 


■A I3 


Derivation of {TS ,V S' ,V} h TS,V : □r(c)re(c) (re(c) V cl{c)). 


[TS,V: □,(<,)re(c)]i TS, V^TS', F 
TS',V-. re(c) 


□r(c)E 


TS, V^TS', V 


TS,V: re(c)Vcl(c) 


TS,V: □r(c)re(c) —> (re(c) V c/(c)) 


All 


□ 


A second example showing how the rigidity rules and chopping rules interact is the 
following. 

Lemma 4.7 (Independence of Length and Width). For all traffic snapshots and views, the 
length of the view is the same on all vertical subviews, i.e. 

TS,V: ^i = x. 

1 = X 

£ — ^ 

Proof. First we show \- TS,V: £ _ ^ -^ £ = x. We define two auxiliary subderivations, 
which are in essence applications of the rules for rigidity. 




vri(.^) vri(a:) 


Rv 


vri{e = x) [F = Fi © F2]i \TS, V,: i = x]i 

TS,V:l = x 
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The eliminations of assumptions are due to the chop-elimination in the following proof. 


TS,V-. 


t = X 
t = X 


nf 


nf 


TS,V-.t = : 


■7;CEi 


TS,V- i ^ ^l = x 

l = X 


-^12 


Now we turn to the other direction. Here, we need to assume that the decomposition 
of the view into two subviews is possible, i.e., the derivation contains an application of the 
elimination rule for the existential quantifier for views. 

For reasons of readability, we define two subderivations H-^. In each of these derivations, 
we infer from the assumption, that V has an extension of length x, that also the subview 
Vi has an extension of length x. 


nf: 


vri(^) vri(x) 


*• vri(^ = x) [U = El 0 1/212 [TS,V-.£ = x]i 

TS,Vi-.l = x 


Rv 


The eliminations of the assumptions indicated by the indices are due to the rules used 
in the final derivation, as follows. 


nf nf [F = Fi e F2]2 


vCl 


Ev',v"(v = v'ev") 


TS,V: 


TS,V: 


I = x 
£ = x 


- IEE2 


TS,V: £ = x 


£ = X 
£ = X 


-^Ii 


By the combination of both these derivations and the usual shortcut for biimplication in¬ 
troduction, we get the desired result. □ 


5. Related and Future Work 

Most related work on spatial logics is focused on purely qualitative spatial reasoning |vBB07j . 
e.g., the expressible properties concern topological relations |RCC92j . Logics expressing 
quantitative spatial properties are rare, an example is Schafer’s Shape Calculus (SC) |Sch05| . 
which is a very general extension of DC. Contrasting SC, the focus of EMLSL lies on a 
restricted field of application, i.e., highway traffic. 

EMLSL is an instance of a multi-dimensional and multi-modal logic [GKWZO^ . since 
it consists of various different modal operators, which are not interdefinable. However, the 
modalities are strongly interconnected, e.g. the creation of a reservation only has an effect, 
if there was a preceeding creation of a claim for the same car. Hence EMLSL is not simply 
a fusion of the corresponding uni-modal languages, but presumably determined by a class 
of suitable product frames. It is worthwile to study, which properties the parts of these 
frames are required to have. 

Labelled natural deduction for (multi-)modal logics has been studied intensely recently. 
E.g., when the rules for relational formulas can be defined with horn clauses as antecedents, 
nice meta-theoretical properties like normalization of proofs can be established |BMV98| 
VigOPj. In intuitionistic modal logic, similar results are obtained, when the relational theory 
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is defined using only geometric sequents [Sim94j . Unfortunately, even with our restricted 
set of rules for view relations, these results do not carry over to our setting, since we made 
use of existential quantification on views. Consider, e.g., the proof of Lemma 14.71 There 
the relational rule for the elimination of existential quantification over views is used within 
an otherwise purely logical deduction. Still we would like to explore how rules for the 
manipulation of traffic snapshots could blend in. However, due to the complex internal 
structure of traffic snapshots, we do not expect such rules to be definable by horn clauses. 

The labelling algebra is deeply intertwined with the predicates and operators of EMLSL. 
Changes in the former would induce adaptations in the latter and vice versa. For example, 
a possible extension would be to exchange the dynamical modality □,- by a metric variant 
where a and b are elements of a suitable domain of time, say M. This change would 
have to be reflected in the labelling algebra by replacing the relation ^ with transitions 
labelled by real numbers (or real-valued variables). Then rules expressing the properties of 
these relational formulas may be added, e.g., for additivity of durations. 

Rasga et al. investigated the fibring [CSS05] of labelled deductive systems |RSSV02] . 
We assume that the deduction system of Sec. [H is an instance of such a fibring, where 
the Boolean operators are shared between all deduction systems involved. A further clas¬ 
sification of EMLSL (or a suitable subset) and its proof system within the framework of 
fibring and multi-dimensional logics would be of interest in order to use preservation results 
concerning, e.g., decidability. 

To further increase the possible applications of EMLSL, we seek to introduce a global 
box modality □. Intuitively, a formula \^(f) shall express that cj) is an invariant over all 
possible sequences of transitions. This modality is not expressible with the help of the other 
modalities and is intuitively similar to an iteration of the transitions like in dynamic logic 
|HTK00) . Finally, an implementation within a general theorem prover like Isabelle |Pau94] 
similar to implementations for modal or interval logics [BMV98( VigOO, IRasOl] would in¬ 
crease the usefulness of the proof system. 
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